Title: Making the CASE for Cyber-investigation Interoperability

Presenter(s): Eoghan Casey, Harm van Beek, Jessica Hyde, Cory Hall, Vik Harichandran, Mattia Epifani, Ryan Griffith, Deborah L. Nichols

Eoghan Casey, University of Lausanne, Switzerland, Harm van Beek, Netherlands Forensic Institute, Netherlands, Jessica Hyde, Magnet Forensics, Cory Hall, Vik Harichandran, John Andrew Sovern, The MITRE Corporation, Mattia Epifani, Fabrizio Turchi, Italian National Research Council, Claudia Meda, Realitynet, Deborah L. Nichols, US Department of Defense Cyber Crime Center.

Time: 09:30-12:30

Github: https://github.com/dfrws/dfrws2020-EU-workshops-CASE

Target Audience Skill Level:
Digital forensics and cyber-investigation data professionals, including practitioners and tool developers of all experience levels.

Learning Outcomes:
At the end of this workshop you should be able to:
● Be familiar with the cyber and forensics domain concepts covered in CASE and UCO.
● Know where to find the CASE and UCO ontologies and supporting framework tools.
● Understand the process for implementing CASE with specific digital investigations tools.
● Have an introduction to the CASE Community and members that support CASE adoption efforts.


The CASE Community is an international consortium with members from for-profit, academic, government and law enforcement, and non-profit organizations, which has created a new specification for the exchange of standardized cyber-investigation data between tools, systems, and organizations. The open-source Cyber-investigation Analysis Standard Expression (CASE) is a community-developed ontology designed to serve as a standard for interchange, interoperability, and analysis of investigative information in a broad range of cyber-investigation domains, including digital forensic science, incident response, counter-terrorism, criminal justice, forensic intelligence, and situational awareness. The CASE Workshop at DFRWS EU 2020 will begin with an update about the growing CASE community and its progress on the new version of CASE, and proceed through practical applications of CASE, including examples. Presenters will explain the CASE adoption process and offer a demonstration of mapping the data model for a forensic tool to the CASE ontology. This session builds on the CASE Workshop presented at DFRWS EU 2019, but newcomers are encouraged to attend and participate.


• CASE Community Update and Project Status (CASE Presiding Director: Eoghan Casey, University of Lausanne)

• CASE Roadmap – Plan and Progress toward CASE v1.0 (CASE Technical Director: Harm van Beek, Netherlands Forensic Institute)

• CASE Committees: How We Work (CASE Government Director: Ryan Griffith, DoD Cyber Crime Center)

• CASE Ontology Specification and MVP (CASE Ontology Committee: Deborah Nichols, MITRE)

• Overview of CASE Use Cases with Q&A (CASE For-profit Director: Jessica Hyde, Magnet Forensics)

• Illustrative Examples of CASE
o Cyber Objects in CASE Traces (CASE Ontology Committee: Mattia Epifani, CNR, Institute of Legal Informatics and Judicial Systems)
o Bespoke Filesystem Support Using CASE (CASE Ontology Committee: Gregory Webb, London Metropolitan Police)
o Inferencing with CASE (TBD)

• CASE Adoption Progress (CASE Adoption Committee Chair: Vik Harichandran, MITRE)

• CASE Integration: Mapping Demonstration (CASE Adoption Committee: Vik Harichandran, MITRE)

• Wrap-up and CASE Online Resources (CASE Presiding Director: Eoghan Casey, Univ. of Lausanne).